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(54) Title: CONDITIONAL ACCESS SYSTEM 
(57) Abstract 

An access control processor for a 
conditional access system in which en- 
crypted information segments providttK 
by a plurality of information service 
providers arc encrypted for transmission 
in acc rdance with different conditional 
access processes respectively utilizing 
different algorithms for encrypting the 
information segments. The processor in- 
cludes a decryptor in an information re- 
ceiver by decrypting encrypted informa- 
tion segmets received by the information 
receiver by processing the received en- 
crypted information segments with a ses- 
sion key used for encrypting the infor- 
mation segments in accordance with an 
algorithm utilized in one of said condi- 
tional access processes; and a conditional 
access controller in the information re- 
ceiver for selectively enabling the de- 
cryptor to decrypt received tiibrmation 
segments encrypted in accordance with 
any of said different conditional access j.** j. 

processes by providing to the decryptor crypt graphic information for defining the algorithm utilized in said one f said different condi- 
tional access processes for use by the decryptor to decrypt the received information segment encrypted in accordance witfi said algoriUyn. 
Algorithm-defining cryptographic information is downloaded from an information stream received by the infonmation receiver. Transmission 
of the cryptographic information for enabling the conditional access controller to enable the decryptor to decrypt a selected information 
segment may be requested by the conditional access controller and downloaded to the conditional access controller from an information 
stream received by the information receiver. A message related to an authorization status of the information receiver is retrieved for display 
from a plurality of diffeiem possible authorization status messages within an information stream received by the information receiver. 
Computer readable storage media are so configured as to cause the access control processor to perform its various functions. 
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CONDITIONAL ACCESS SYSTEM 

CROSS-REFERENCE TO RELATED APPLICATION 

This is a cominuation-in-pan of copending application No 08'303,409 filed 
September 9, 1994 

5 BACKGROUND OF THE INVENTION 

The present invention penains to systems and methods for secureK controlling 
access to information segments distributed to information receivers m a pomt-to-point or 
pomt-to-multi-point network. Such systems are known as conditional access systems. 
The information may include video, audio, text, data and any/or other type of information 
10 that may be subject to conditional access. An information segment is a given block of 
information, such as a television program, a given block of text or a given block of data, 
that typically is transnuited over a relatively short duration. 

There is a need for competitiveness and open standards for customer information 
receivers used m condiuonal access systems. Howe\er. equipment vendors are mouvated 
15 to maintain proprietary standards, whereby conditional access service providers often have 
been dependent upon a single source of equipment Nevertheless, information network 
service providers, such as telephone companies, desire to maintain at least two sources for 
the equipment installed in conditional access systems included within information 
distribution networks. 

20 In the prior art, encrypted information segments respectively provided by a 

plurality of different conditional access information service providers are respectively 
encrypted for transmission in accordance with different conditional access processes, 
which may respectively utilize different algorithms for encrypting the information 
segments; and the differently encrypted information segments arc respectively decrypted 

25 by differently configured information receivers respectively containing access control 
processors adapted for enabling decryption of only encrypted information segments 
encrypted in accordance with one of the different conditional access processes. An 
encryption algorithm is a process by which a given signal is processed with a key (signal) 
to transform the given signal into an encrypted signal that is unintelligible or by which the 

30 gi\en signal can be recovered by corresponding processing of the encrypted signal with a 
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corresponding key The parameters of an encr>'pnon algonihm determine the order of 
selection for processing of bus in the gi\en signal, the key and iniermediate signals 
produced by such processing, and the sequence of such processing 

An exemplary prior art conditional access system is described in United States 
5 Paiem No 4.631,901 to Klein S Gilhousen. Charles F \ev\b> and Karl E Moerder and 
United Slates Patent No 4,712,238 to Klem S Gilhousen. Jerrold A Heller. Michael \' 
Harding and Roben D Blakene> In such conditional access system, an inlbrmation 
segment is encrvpted for transmission by scrambling the intbrmaiion segment with a 
keystream that is produced by processing a secure session key m accordance with a 
10 predetermined encryption algorithm, such as the DES encryption algorithm. In an 
information receiver of such a conditional access system, the encrypted information signal 
is decrypted by descrambling the encrypted information segment with a keystream that is 
produced by processing the secure session key in accordance with the predetermined 
encryption algonthm. The session key is a key that is processed to produce the keystream 
15 that IS used to scramble an information segment for a given transmission of the encrypted 
intbrmation segment Typically the session key is processed with another key and/or a 
data signal to produce the keystream. In the two above-cited patents, the session key is 
referred to as a channel key. 



An object of the present invention is to enhance the scope and utility of conditional 
access systems by providing a conditional access system and method that allows an 
information receiver of an information distribution network to be configured on an open 
standard basis for use with different proprietary systems of a plurality of different 
conditional access service providers over a common information distribution network, in 
which each conditional access service provider determines only the parameters of the 
cryptographic system design required to enable conditional access to the information 
provided by such conditional access service provider. 

The prior an has suggested a conditional access system that would enable 
encrypted information segments respectively encrypted for transmission in accordance 
with different conditional access processes to be descrambled through use of a standard 
30 information receiver having a standard interface common to ail present and future 
conditional access systems and a plurality of detachable conditional access modules 
respeaively provided by the different conditional access information service providers for 
enabling a common descrambler m the intbrmation receiver to descramble received 

2 
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information segments encr>pied in accordance with any of the different conditional access 
5 processes In such a system the use of a common descrambler to decr>pt encrypted 
information segments provided by any of a plurality of different information service 
providers that respectively encrypt information segments tor transmission m accordance 
with any of a plurality of different conditional access processes respectively utilizing 
different algorithms for encrypting the information segments would make it necessary that 
10 each of the detachable conditional access modules respectively provided by the different 
conditional access information service providers include the ponion of the decryptor that 
generates the common descrambling keystream by processing the secure session key used 
for encrypting the information signal in accordance with the predetermined encryption 
algorithm respectively utilized in the conditional access process used by the respective 
15 information service provider. 

SUMMARY OF THE INVENTION 

The present invention provides an access control processor for a conditional access 
system in which encrypted information segments provided by a plurality of information 
service providers are encrypted for transmission in accordance with different conditional 

20 access processes respectively utilizing different algorithms for encrypting the information 
segments, the processor comprising a decryptor in an information receiver for decrypting 
encrypted information segments received by the information receiver by processing the 
received encrypted information segments with a session key used for encrypting the 
information segments in accordance with an algorithm utilized in one of said conditional 

25 access processes: and a conditional access controller in the information receiver for 
selectively enabling the decrvptor to decrvpt received information segments encrypted in 
accordance with any of said diflFerent conditional access processes by providing to the 
decryptor cryptographic information for defining the algorithm utilized in said one of said 
different conditional access processes for use by the decryptor to decrypt the received 

30 information segment encrypted in accordance with said algorithm. The cryptographic 
information for defining the encryption algorithm may define various bit selection and/or 
processing parameters of a predetermined algorithm, such as the DES algonthm. or such 
cryptographic information may define the entire predetermined algorithm. 

The access control processor of the present invention is ideally suited for use in an 
35 information receiver of an information distribution network that is configured on an open 
standard basis for use with diflFerent proprietary systems of a plurality of different 

3 
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conditional access service providers over a common inibrmaiion distribution network, m 
which each conditional access sen-ice provider determines only the parameters of the 
cr>ptographic design uniquely required to enable conditional access to the intbrmaiion 
provided by such conditional access service provider Only those ponions of the 
conditional access controller that control conditional access parameters that are not 
common to all of the service providers need be contained in a detachable conditional 
access module that would be interfaced with the inlbrmatjon receiver for enabling 
decryption of encrypted information segments provided by such service provider, thereby 
reducing the cost of the detachable conditional access modules, which are replaced from 
time to time in order to enhance the security of the conditional access system of the 
respective information service provider. 

The present invention also provides a conditional access system including the 
above-described access control processor in combination with encryption means for 
encrypting information segments for transmission in accordance with different conditional 
access processes respectively utilizing different algorithms for encrypting the information 
segments. 

In another aspect, the present invention provides an access control processor for a 
conditional access system in which an encrypted information segment provided by an 
information service provider is encrypted for transmission in accordance with a conditional 
access process utilizing an algorithm for encrypting the information segment, the 
processor comprising a decrypior in an information receiver for decrypting encrypted 
information segments received by the information receiver by processing the received 
encrypted information segments with a session key used for encrypting the information 
segments in accordance with an algorithm utilized in said conditional access process; and a 
conditional access controller in the information receiver for enabling the decryptor to 
decrypt received inlbrmation segments encr>pted in accordance with said conditional 
access process by providing to the decryptor cryptographic information for defining the 
algorithm utilized in said conditional access process for use by the decryptor to decrypt 
the received information segments encrypted in accordance with said algorithm, wherein 
the conditional access controller includes means for detecting within an information stream 
received by the information receiver cryptographic information for defining the algonthm 
used for encrypting information segments in accordance with said conditional access 
process, and means for downloading the detected crvptographic intbrmation from said 
information stream. 
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In a further aspect, the present imeniion provides an access control processor for a 
conditional access system in which an encr>pted information segment proxided by an 
information service provider is encrvpted for transmission in accordance with a given 
conditional access process, the processor comprising a decryptor in an information 

5 receiver for decrypting encrvpted inlbrmation segments received by the information 
receiver; and a conditional access controller in the inlbrmation receiver for enabling the 
decryptor to decr\pt received inlbrmation segments encrypted in accordance with the 
given conditional access process: wherein the conditional access controller includes means 
for requesting transmission to the information receiver of cryptographic information for 

10 enabling the conditional access controller to enable the decryptor to decrypt a selected 
information segment; and means for downloading cryptographic information transmitted 
to the receiver in response to said request. 

The present invention further provides a conditional access system including the 
immediately-above-described access control processor in combination with encryption 
15 means for encrypting an information segment for transmission m accordance with a given 
conditional access process, and means for responding to the request for transmission of 
cryptographic information by providing the requested cryptographic information for 
transmission to the information receiver. 

In still another aspect, the present invention provides an access control processor 
20 for providing for display of a message related to an authorization status of an information 
receiver m a conditional access system for receiving an information segment, the processor 
comprising means for processing an authoruation signal related to the information 
segment to determine which of a plurality of different possible authorization statuses is 
applicable to the information segment, means tbr retrieving from a plurality of diiferent 
25 possible authorization status messages within an information stream received by the 
information receiver a message applicable to the status determined by said processing; and 
means for providing the retrieved message for display. 

In still an additional aspect, the present invention provides an access bontrol 
processor for selecting an applicable authorization status of an information receiver for 
30 receiving an information segment when the information segment is provided separately by 
each of a plurality of different service providers in a conditional access system, the 
processor comprising means for processing a plurality of authorization signals respectively 

5 
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related to the inibrmation segment provided separately by the plurality of different serv ice 
providers, means for determining which of a plurality of different possible authonzation 
statuses is applicable for the received information segment for each of the respective 
authorization signals related to the different service providers: and means for selecting 
one of the determined statuses m accordance with a predetermined prionty. 

The present invention also provides computer readable storage media for use in an 
access control processor, which storage media are respectively so configured as to cause 
the access control processors to perform various functions of the above-descnbed access 
control processors of the present invention. 

The present invention further provides the methods that are earned out by the 
above-descnbed access control processors and conditional access systems 

Additional features of the present invention are described with reference to the 
detailed description of the prefened embodiments. 

BRIEF DESCRIPTION OF THE DRAWING 

FIG 1 is a block diagram of a preferred embodiment of a conditional access 
system according to the present invention. 

FIG. 2 is a block diagram of an information server in the system of FIG. 1 

FIG. 3 is a block diagram of an alternative preferred embodiment of the 
information receiver in the system of FIG 1 

FIG. 4 is block diagram of one preferred embodiment of the conditional access 
controller in the systems of FIGS. I and 3. 

FIG. 5 is a block diagram of another preferred embodiment of the conditional 
access controller in the systems of FIGS. 1 and 3. 
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DETAILED DESCRIPTION 

Refemng to FIG I, a preferred embodiment of a conditional access system 
according to the present invention includes a plurality of information servers lOa, I Ob and 
one preferred embodiment of an information receiver 12 The information servers lOa, 
10b may be separately located or they may be mcluded in a distnbuiion hub that receives 
ini'ormation segments 14a. 14b transmitted from different sources and encrypts the 
intormation segments lor tunher transmission The information recener 12 ma\ be an 
end-user information receiver or included in a distnbution hub that receives information 
segments 14a, 14b transmitted from different sources and encrypts the information 
segments for further transmission 

A first information server 10a encrypts clear intbrmation segnients 14a provided by 
a first information service provider A for transmission in accordance with a first 
conditional access processes utilizing a lirst algorithm A for enervating inlbrmatton 
segments 1 4a: and a second information server 10b encrypts clear intbrmation segments 
1 4b provided by a second information service provider B for transmission in accordance 
with a second conditional access processes utilizing a second algonthm B for encrypting 
the information segments 14b The first conditional access process is different from the 
second conditional access process and the first algorithm A is different from the second 
algorithm B. As indicated by the dashed line IS. the clear information segments 14a may 
be the same as the clear information segments 1 4b: but usually the clear informriion 
segments 14a are different from the clear information segments 14b 

Referring to FIG 2, a preferred embodiment of the information server lOa includes 
an encryptor 18. an entitlement message generator 20, a signal encoder 22 and an 
authorization processor 28. 

The encryptor 18 encrypts the clear information segments 1 4a by processing the 
information segments 14a with a session key K in accordance with the first algorithm A 
utilized in the first conditional access process to provide encrypted information segments 
23. The session key K is included in cfyptograpUc information 24 that is processed by the 
entitlement message generator 20 with entitlement information 2S to provide entitlement 
messages 26 The encoder 22 combines the encrypted informauon segments 23 and 
entitlement messages 26 to provide a combined signal 27 for transmission Examples of 
entitlement information are described in the aforementioned V S Patent No 4,712,238 as 
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the program mask, the program cost, the credit signal and the authorization uord. 
Examples of cr>ptographic inlormation as descnbed in said patent, include the channel key 
(session key), the category key and the subscriber key generation number Examples of 
entitlement messages, as descnbed in said patent include the channel rekey message and 
the category rekey message. Transmission of the combined signal 27 may be 
accomplished by communication sateUite, microwave, cable, telephone and/or land lines. 

The operation of the authorization processor 28 and the entitlement message 
generator 20 in response to a request for cryptographic inibrmation signal 29 is descnbed 
below with reference to an alternative embodiment feature of the conditional access 
controller shown in FIG. 4. 



Refemng again to FIG. 1, one preferred embodiment of an information receiver 12 
for use in a conditional access system according to the present invention includes an 
access control processor 30 including a decrvptor 31 and a conditional access controller 
32. a demultiplexer 33. a user interlace processor 34. an iniormation processor 35 and an 
information output device 36, such as a television set. having a video monitor 37 and/or an 
audio speaker (not shown). Alternatively, or additionally, the information output device 
36 may include such other components as a personal computer, a pnnter, and or a \ideo 
cassette recorder The decryptor 31. or a ponion thereof, may be embodied in a 
replaceable secunty element, such as a sman card (not shown). 

The demultiplexer 33 demultiplexes a received combined signal 38 containing 
encrypted information segments and entitlement messages and provides the received 
encrypted infonnation segments 23 to the decryptor 31 and the recaved entitlement 
messages 26 to the conditional access controller 32. 

The user interface processor 34 responds to mputs (not shown) mitiated by a user 
of the information receiver 12 by providing either an service request signal 40 or an 
authorization request signal 41 to the conditional access controller 32. 

The conditional access controller 32 processes the entitlement messages 26 to 
determine whether the decryptor 3 1 in the infonnation receiver 12 is authorized to decrypt 
encrypted information segments 23 identified by the service request signal 40 Upon 
determining that the decryptor 3 1 and thereby the information receiver 12 is so authorized, 
the conditional access controller 32 provides appropriate cryptographic information 42 to 
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the decryptor 31 to thereby enable the decnpior 31 to decr\pt me received encrypted 
information segments 23 The cr>piographic ihtbrmation 42 includes the session key K 
and cryptographic data for defining the aigonthm A or B utilized in the conditional access 
process used to produce the encrypted information segments 23 identified by the service 
5 request signal 40. 

The decryptor 3 1 then decrypts the received encrypted information segments 23 by 
processing the received encrypted information segments 23 uiih the session key K used 
for encrypting the inibnmation segments m accordance with the algorithm A or B utilized 
m the conditional access process used to produce the encrypted information segments 23. 
10 to thereby reproduce the clear information segments 14, which are provided to the 
information processor 35 

Upon determimng the authorization status of the information receiver 12. the 
conditional access controller 32 causes a status message 43 applicable to the determined 
authorization status to be provided to the information processor 35 for display by the 
15 video monitor 37 of the information output device 36 

The information processor 35 processes the clear information segments 14 to 
cause the output device 36 to provide an output to the user of the information receiver 12. 
When the clear information segments 14 represent a television signaL the output device 36 
causes a picture to be provided on a video monitor 37 and also provides an audio output 

20 signal to the speaker in the information output device 36 When the clear information 
segments 14 represent text and/or data, the information processor 35 causes the text 
and/or data to be displayed on the video monitor 37 and may also cause such text and/or 
data to be printed out by a printer (not shown) coupled to the information processor 35. 
Such clear information 14 representing text and/or data may be stored irutially in a 

25 memory (not shown) for later processing by the information processor 35. 

The information processor 35 processes the status message 43 to cause the output 
device 36 to display the message 45 to the user of the information receiver 12 on the video 
monitor 37. The information processor 35 may process the status message 43 together 
with the clear information segments 14 in such a manner as to cause the displayed message 
30 45 to be superimposed over a picture provided on the video momtor in response to 
processing of the clear information segments 14. Alternatively, the information processor 
35 may give priority to processing of the status message 43 and supersede any display of 

9 
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a picture m response to processing of the clear mformat.on segments 14 bv causmg only 
the displayed message 45 to be displayed on the video monitor 3 7 tor a shon duration 

Refemng to FIG. 3. an aJiemaiiv e embodiment of an information receiver 49 for 
use in the conditional access system of the present invention includes an access control 
processor 50 includmg a decr>ptor 51 and a conditional access controller «i2 a 
demuhiplexer 53. a user mterface processor 54, an information processor 55 and an 
intormation output device 56. such as a television set. having a video monitor 57 andor an 
audio speaker (not shown) The decr^ptor 5 1, or a pon.on thereof mav be embodied in a 
replaceable security element, such as a smart card ( not shown ) 

The decryptor 51 receives a combined signal 58 containing encrypted information 
segments and entitlement messages, 

The demultiplexer 53 is coupled to the decryptor 51 and demultiplexes the 
combined signal 59 from the decryptor 51 contaimng information segments and 
entitlement messages and provides the received information segments 14 to the 
information processor 55 and the received entitlement messages 60 to the conditional 
access controller 52. 

UntU the decryptor 51 is enabled for decryption, the combined sienal 59 provided 
from the decryptor 51 to the demultiplexer 53 includes encrypted information segments 

The user interface processor 54 responds to inputs (not shown) initiated by a user 
of the information receiver 49 by providing either an sen,ice request signal 62 or an 
authonzaiion request signal 63 to the conditional access controller 52. 

The conditional access controller 52 processes the entitlement messages 60 to 
determine whether the decryptor 5 1 in the information receiver 49 is authorized to decrypt 
encrypted informauon segments identified by the service request signal 62. Upon 
determining that the decryptor 5 1 and thereby the information receiver 49 is so authorized 
the conditional access controUer 52 provides appropriate cryptographic information 64 to 
the decryptor 51 to thereby enable the decryptor 51 to decrypt the i«:eived encrypted 
informauon segments included in the received combined signal 58 The cryptographic 
information 64 includes the session key K and cryptographic data for defining the 
algonthm A or B utilized in the conditional access process used to produce the encrypted 
information segments idemified by the service request signal 62 Since the combined 
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signals 27a provided by the information server 10a of information serv ice pro\ider A may 
incorporate the encrypted information segments into the combined signal 27a in a different 
format than the format used for such purpose by the intbrmaiion server 10b of information 
service provider the cryptographic inlbrmaiion 64 provided to the decryptor 5 1 by the 
5 conditional access controller 52 flinher includes format data that enables the decryptor SI 
to decrypt only the encrypted information segments included in the combined signal 58 

After the decryptor 5 1 has been enabled for decryption, the combined signal 59 
provided from the decryptor 51 to the demuhiplexer 53 includes clear inlbrmaiion 
segments rather than encrypted information segments. 

10 The decryptor 51 decrypts the received encrypted information segments in the 

combined signal 58 by processing the received encrypted information segments with the 
session key K used for encrypting the information segments in accordance with the 
algorithm A or B utilized in the conditional access process used to produce the encrypted 
information segments, to thereby reproduce the dear information segments 14. which are 

15 provided by the multiplexer 53 to the information processor 55. 

Upon determining the authorization status of the information receiver 49, the 
conditional access controller 52 causes a status message 66 applicable to the determined 
authorization status to be provided to the information processor 55 for display by the 
video monitor 57 of the information output device 56 

20 The information processor 55 processes the clear information segments 14 and the 

status message 66 to cause the output device 56 to provide an output to the user of the 
information receiver 49 in the same manner as described above with reference to the 
intbrmation processor 35 and the output display device 36 of the information receiver 12 
shown in FIG. 1. 

25 Referring to FIG. 4, the conditional access controller 32. 52 of either the 

information receiver 12 shown in FIG. 1 or the information receiver 49 shown in FIG. 3 
includes a control processor 70« an authorization processor 71, a cryptographic 
information generator 72, a memory 74 preferably including one or more smart cards 75, 
and a message display driver 76 The cryptographic information generator 72, or a 

30 ponion thereof, may be embodied in a replaceable security element, such as a sman card 
(not shown). In one embodiment, a ponion of the memory 74, a portion of the 

n 
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captographic infomiation generator 72 and a ponion of the decr>ptor 3 1 are embodied m 
a common replaceable security element, such as a smart card (not shown) In descnbmg 
the conditional access controller shown m FIG. 4. only the reference numerals shown in 
FIG. 1 are used to refer to the various signals and components that are showii m both 
FIGS I and 3. although the corresponding reference numerals shown in FIG 3 for such 
signals and components also are applicable. 

The control processor 70 processes the entitlement messages 26 to provide 
authorization messages 79 to the authorization processor 71 and cryptographic messages 
80 to the cryptographic infonmation generator 72. 

The authorization processor 71 responds to an service request signal 40 by 
processing the authorization messages 79 with authorization data 82 stored in the memory 
74 to determine whether the decryptor 31 in the information receiver is authorized to 
decrypt encrypted information segments idemified by the serMce request signal 40 Upon 
determining that the decryptor 31 and thereby the information receiver is so authorized 
the authonzaiion processor 71 provides an appropriate status signal 84 to the 
cry ptographic information generator 72 An example of an authorization processor is 
descnbed in the aforememioned U.S. Patent No. 4.712,238 with reference to FIG. I. In 
the conditional access comroller of FIG 4. the status signal 84 includes both an enable 
signal and data identifymg ather conditional access process A or conditional access 
process B as the conditional access process used for encrypting the information segment 
identified in the service request signal 40. 

The cryptographic information generator 72 responds to the status signal 84 by 
processing the cryptographic messages 80 together with cryptographic data 86 retrieved 
from the memory 74 to thereby provide to the decryptor 3 1 the cryptographic information 
42 that enables the decryptor 31 to decrypt the received encrypted information segments 
23 identified by the service request signal 40. As indicated above, the ciyptographic 
information 42 includes the session key K and cryptographic information for defining the 
algorithm A or B utilized in the conditional access process used to produce the encrypted 
information s^ments identified by the service request signal 40 

The data for defining algonthm A or B included in the cp.ptographic infomiation 
42 is retrieved trom the memory 74 as pan of the cryptographic data 86 utilized m 
accordance with the conditional access process A or B identitied m the status signal 84 as 
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the conditional access process used for encr>-pting the information segment identified in 
the ser\ice request signal 40 In one embodiment, the memorv 74 stores the cr\ piographic 
information for defining the diflerent algorithms A and B respectively used in the diflferent 
conditional access processes In another embodiment the cryptographic inlbrmation for 

5 defining each algorithm A. B is stored in a separate replaceable secunt> element, such as 
the sman card 75 and is provided therefrom to the cryptographic inlbrmation generator 
72 The memory 74 may include a plurality of such smart cards 75 respeaively provided 
by the different conditional access intbrmation service prov iders and respectively stonng 
the cr>ptographic information for defimng the different algorithms A, B utilized for 

10 decrypting the received encr>pted information segments 23 in accordance with the 
different conditional access processes A and B. 

When the service request signal 40 identifies a selected information segment that is 
provided by each of a plurality of different service providers, the authorization processor 
71 processes authorization signals in the auihonzaiion messages 79 related to the seleaed 

15 intbrmation segment provided by each of the plurality of the different service providers to 
determine which of a plurality of different possible authorization statuses is applicable to 
the selected information segment provided by each of the service providers, and selects for 
decryption in accordance with a predetemuned priority based upon such status 
determinations the encrvpted information segment provided by one of the service 

20 providers- Examples of different statuses include, in order or priority: **bIacked-out*« 
"locked-out". "authorized", "available for pay-for-view" and "not presently authorized" 
The conditional access process A or B used by the service provider for encrypting the 
information segment selected in accordance wth such predetermined pnonty is identified 
in the status signal 84 provided to the cryptographic information generator 72 so as to 

25 cause the cryptographic generator 72 to inchide in the cryptographic information 42 the 
cryptographic information for defining the algorithm used for encrypting the seleaed 
information segment provided by such service provider. Such predetermined priority may 
be changed fi'om time to time by downloads^ new priority data firom the infonnatioo 
stream received by the information receiver 12. 49 or fi-om a new sman card inserted into 

30 the menwry 74. 

The status determined by the authorization processor 71 is indicated by a status 
signal 88 provided by the authorization processor 71 to the message display dnver 76, 
which in turn retrieves a status message 43 corresponding to the indicated status fi'om the 
memory 74 and provides the status message 43 to the information processor 35. The user 
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of ihe informauon receiver is irUbrmed of the determined status by the status message 
display 45 on the video monitor 37 The status signals 84, 88 and the display 45 of the 
status are provided in response to each ser\nce request signal 40 notvvithstanding whether 
the selected information segment is provided by one or more different service providers 

When the status is "not presently authonzed", the user may operate the user 
interface processor 34 to provide an authonzation request signal 4 1 to the authorization 
processor 71 The authonzation processor 71 responds to the authorization request signal 
41 by generating a request for cr>ptographic information signal 29 that is transmitted to 
the inlbrmation server 10a, 10b of the service provider that provides the seleaed 
information segment identified in the service request signal 40 The request for 
cryptographic information signal 29 is a request for transmission to the information 
receiver of cryptographic mibrmaiion for enabling the conditional access controller 32 to 
enable the decryptor 31 to decrypt the selected information segment identified in the 
service request signal 40 

The authorization processor 28 in the information server 10a receives and 
processes the request for cryptographic information signal 29 to determine whether or not 
the information receiver from which the request signal 29 originated should be authorized 
to decrypt the selected information segment. Upon determining that such information 
receiver should be so authorized, the authorization processor 28 causes the requested 
cry ptographic information 90 to be included in entitlement messages 26 provided by the 
entitlement message generator 20 that are addressed to the information receiver from 
which the request signal 29 originated, together with authorization messages 79 that will 
cause the authonzation processor 71 in the information receiver to determine that the 
decryptor 3 1 in the infonnation receiver is authorized to decrypt the selected encrypted 
information segment. If the cryptographic information generator 72 is of the type 
described in the aforementioned U S, Patent No. 4,712,238, at least some of the key 
seed(s) stored in the memory 74 of the infonnation receiver would have to be known to 
the information service provider providing such authorization. 

In the conditional access controller 32 of the infonnation receiver, the control 
processor 70 downloads cryptographic information transmitted to the information receiver 
m response to the request for cryptographic information signal 29 by detecting the 
transmuted cr>-ptographic information within an information stream of entitlement 
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messajjes 26 received by the information receiver and by downloading the detected 
cryptographic information from such mformation stream 

The transmitted cryptographic information downloaded by the control processor 
70 includes cryptographic data 92 for defining the algorithm that is used in the conditional 

5 access process utilized by the information server 10a, I Ob that encrypts the selected 
encrypted information segment and cryptographic data for use in generatmg a session key 
for use by the decryptor 32 for decrvptmg information segments encnpied in accordance 
with the given conditional access process, including data for defining an algorithm for 
generating the session key and cr>'piographic information of the type that typically is 

10 provided to information receivers in the rekey messages The transmitted cry ptographic 
information may be encrypted for transmission in order to enhance security, in w hich case 
the control processor 70 includes a decryptor (not shown) for decrvpiing the transmitted 
cry ptographic information. Also data for defining a new encryption algorithm as well as 
other cryptographic information may be transmitted at the instigation of the conditional 

15 access information service provider rather than in response to a request signal 29 
whenever it is desired to change the encryption algorithm or such other cr>ptographic 
information. 

The downloaded algorithm-defimng data 92 is stored in the memor> 74 for 
retrieval by the cryptographic information generator 72 when the authorization processor 

20 provides a status signal 84 identifying the conditional access process that utilizes the 
downloaded algorithm-defining data 92 The remainder of the downloaded cry ptographic 
information is included m the cryptographic messages 80 provided by the control 
processor 70 to the cryptographic information generator 72 and processed by the 
cryptographic information generator 72 to generate the session key K included in the 

25 cryptographic information 42 provided to the decryptor 31 

Alternatively, the cryptographic information, including the algorithm*defining data 
required for decrypting encrypted information signals encrypted in accordance with a 
conditional access process of a given information server can be downloaded into the 
memory 74 from a smart card 75 sent to the user of the information receiver. This 
30 technique of downloading the required algorithm-defining data can be used whenever the 
algorithm utilized by a given information server 10a, 10b is changed or when a user of an 
information receiver newly becomes a subscriber to information services provided by the 
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inlormation serMce provider thai operates the inlbrmation server that utilizes the 
aJgorithm defined by such downloaded algonihm-defining data 

Referring lo FIG. 5, an alternative preferred embodiment of the conditional access 
controller 32, 52 is provided for a conditional access system m which the combined signal 
27a 27b, transmitted to the information receiver 12, 49 includes ail of the possible status 
messages 94 in addition to the entitlement messages 26 and the encrypted information 
segments 23. In this embodiment, the conditional access controller 32, 52 includes a 
control processor 95, an authorization processor 96, a cryptographic information 
generator 97, a memory 98 preferably including one or more smart cards 99, and a 
message display driver 100 

The control processor 95 processes the entitlement messages 26 to provide 
authorization messages 102 to the authorization processor 95 and cryptographic messages 
103 to the cryptographic information generator 97. 

The authorization processor 96 responds to an service request signal 40 identifying 
a selected information segment by processing an authorization signal within the 
authorization messages 102 that is related to the seleaed information segment with 
auihonzation data 105 stored in the memory 98 to determine whether or not the decrypior 
3 1 IS enabled to decrypt the selected information segment and to determine which of a 
plurality of different possible authonzation statuses is applicable to the seleaed 
information segment. Upon determining the authonzation status of the information 
receiver, the authorization processor 96 provides a first status signal 106 to the 
cryptographic information generator 97 and a second status signal 107 to the control 
processor 95 

The control processor 95 responds to the status signal 107 by retrieving from a 
plurality of different possible authorization status messages 94 within an information 
stream received by the information receiver a message 108 applicable to the status 
determined by the authorization processor 96, as indicated by the status signal 107 The 
control processor 95 retrieves the applicable status message from the information steam by 
detecting the applicable status message 108 within the different possible authorization 
status messages 94 and by downloading the detected applicable status message 108 from 
said intbrmation stream The control processor 95 provides the downloaded reineved 
status message 108 to the message display driver 100, which in turn provides the 
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downloaded status message 110 to the tnlbrmatton processor 35 tor dispia> by the 
information output device 36 

The cryptographic information generator 97 responds to the status signal 106 by 
processing the cryptographic messages 103 together with cryptographic data 1 12 retrieved 
5 from the memory 98 to thereby provide to the decryptor 3 I the cryptographic imbrmation 
42 that enables the decr>ptor 3 I to decr\pt the received encrypted information segments 
23 identified by the service request signal 40 

Except for the downloading and provision of the status message 108 that is to be 
displayed, the functions of the components of the conditional access controller of FIG. S 
10 are the same as the functions of the like components in the conditional access controller of 
FIG. 4, including the downloading of the cryptographic information from the information 
stream 

The memorv' 74, 98 includes computer readable storage media (or medium) that 
are configured so as the cause the access control processor 30. 50 to pertbrm its various 
15 functions descnbed above. 

The information segments 14a, 14b that are encrypted may include an MPEG-2 
video signal. MPEG-2 is an ISO (International Standards Organization) standard 
provided by Moving Piaure Expen Group Number 2 for television compression and 
decompression equipment The information processor 35, 55 may be a MPEG 
20 decompressor 

The present invention affords availability to a set-top. such as a digital 
entertainment terminal, of a network interface module that can through a conditional 
access/encryption algorithm*defuiing data downloading process from the infonnatioa 
distribution network gateway equipment, accommodate and run the decryption algorithms 

25 of the conditional access system service provider selected by the information provider. 
Hence each conditional access service provider can customize its own conditional access 
algorithms, including the information segment encryption algorithm. Accordif^y the 
required integrated circuit sets in a present day proprietary network interface module are 
replaced by the access control processor of the present invention. A network interface 

30 module including the access control processor of the present mventton does not depend 
upon a fixed access control process or a fixed secunty algorithm architecture for the 
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secunty provided lo the information provider, such as a proi?rammer. but mstead provides 
a flexible cr>pto-system architecture thai throuuh ,ts use of flexible al^onthni information 
stream encryption equipment, flexible message protocol standard, and or a high-security 
yet low-cost sman card, responds economically to any secunty breach, since algorithms 
are easily changed to offset gams pirates may have made by breaking the code of a 
panicular encryption algorithm. 

The present invention also provides mobility to a subscriber ONvning an mtbrmation 
receiver in that the subscriber's entitlements can be carried from set-top to set-top through 
the simple issuance of a new smart card, one that is matched to the information provider in 
the information provider's new service area. 

The use of a smart card, in addition to the provision of mobilitv and an enhanced 
level of flexibility to the marketing of se^^•ices. special programming, ease of maintenance 
ease of update, etc. also provides an enhanced level of secunty through the timed elemems 
of validity and the personalization of the cards upon a subscriber subscnbing for the 
services. 

The present invemion also will allow the service providers to have maximum 
flexibility for purchase of multi-vendor equipment and multi-vendor encryption systems 
with lower prices derived from open competition. 

The advantages specifically stated herein do not necessarilv appiv to every 
conceivable embodiment of the presem invention. Further, such stated advantages of the 
present mvemion are only examples and should not be consinied as the only advantages of 
the presem invention. WhUe the above description contains manv specificities, these 
should not be construed as limitations on the scope of the presem invemion. but rather as 
examples of the preferred embodimems descnbed hcrem. Other vanaiions are possible 
and the scope of the present invention should be determmed not by the embodimems 
described herein but rather by the damis and their legal equivalents. 
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CLAIMS 

I. An access control processor for a conditional access system m whjch encrypted 
2 information segments provided by a plurality of inlbrmaiion service providers are 

encrypted for transmission in accordance with different conditional access processes 
4 respectively utilizing different algorithms for encrypting the information segments, the 

processor comprising 

6 a decryptor in an information receiver for decrvpiing encrypted information 

segments received by the information receiver by processing the received encrypted 

8 information segments with a session key used for encrypting the information segments in 
accordance with an algorithm utilized in one of said conditional access processes; and 

10 a conditional access controller in the information receiver for selectively enabling 

the decryptor to decrypt received information segments encrypted in accordance with any 

12 of said different conditional access processes by providing to the decry ptor cry ptographic 
information for defining the algorithm utilized in said one of said diflerent conditional 

14 access processes for use by the decryptor to decrypt the received information segment 
encrypted in accordance with said algorithm. 

2- A processor according to Claim 1. wherein the conditional access controller 
2 includes 

means for detecting within an information stream received by the information 
4 receiver cryptographic information for defining the algorithm used for encrypting 
information segments in accordance with said one of said different conditional access 
6 processes, and 

means for downloading the detected cryptographic information fi-om said 
e information streaim. 

3- A processor according to Claim I. wherein the conditional access controller 
2 includes a replaceable secunty element, such as a smart card, for providing cryptographic 

information for defining the algorithm. 
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4 A processor according to Claim I. wherein the conditional access controller 
includes a memor>- in the inlbrmation receiver stonng cr>ptosraphic information for 
definin« said different algonthms respectively utilized in said different conditional access 
processes. 



5 A processor according to Claim I. wherein the conditional access controller 
selectively provides the crvptographic information for defining the algonthm utilized in 
said one conditional access process to the decryptor in accordance with a signaJ 
identifying said one conditional access process as the conditional access process used for 
encrypting the received information segments. 



6 A processor according to Claim 1. wherein the conditional access controller 
composes 

means for processing an authonzation signal related to a selected information 
segmem provided by each of a plurality of said service providers to detennine which of a 
plurality of different possible authorization statuses is applicable to the selected 
information segment provided by each of the service providers; and 

means for seleaing for decryption in accordance with a predetermined priority 
based upon said status determinations the encrypted information segment provided by one 
of said service providers. 



7 A processor according to Claim 6. wherein the cryptographic information for 
defining the algorithm provided by the conditional access controller to the decryptor is 
provided in accordance with said selection of the selected encrypted information segment 
provided by said one service provider. 



8. A processor according to Claim 1 in combination with a demultiplexer in the 
information receiver, wherein the demultiplexer is adapted for demultiplexing a received 
combined signaJ containing encrypted information segments and entitlement messages; 
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4 wherein the decrvpior is coupled to the demultiplexer for receiving the 

demultiplexed encr>pted irubrmaiion segments tor said decrvption, and 

6 wherein the conditional access controller is coupled to the demultiplexer for 

receiving the demultiplexed entitlement messages for processing in order to so enable the 
8 decr\ptor 

9 A processor according to Claim 1 in combination with a demultiplexer in the 
2 inlbrmaiion receiver, wherein the decrvptor is adapted for decr>piing encrypted 

mtbrmation segments m a received combined signal containing encrvpted information 
4 segments and entitlement messages. 

wherein the demultiplexer is coupled to the decrvptor for demuhiplexing the 
6 combined signal following said decryption of the encrypted information segments by the 
decrypior: and 

8 wherein the conditional access controller is coupled to the demultiplexer for 

receiving the demultiplexed entitlement messages for processing in order to so enable the 
10 decrypior 

10 An access control processor for a conditional access system in which an 
2 encrypted information segment provided by an information service provider is encrypted 

for transmission in accordance with a conditional access process utilizing an algorithm for 
4 encrypting the information segment, the processor comprising 

a decryptor in an information receiver for decrypting encrypted informatioo 
6 segments received by the information receiver by processing the received encrypted 
information segments with a session key used for enctypting the information segments in 
8 accordance with the algorithm utilized in said conditional access process; and 

a conditional access controller in the information receiver for enabling the 
10 decryptor to decrypt received information segments encrypted in accordance with said 
conditional access process by providing to the decryptor cryptographic information for 
12 defining the algorithm utilized in said conditional access process for use by the decryptor 
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to decnpi the received information segments encrypted m accordance vwith said algonthm. 
wherein the conditional access controller mcludes 

means for detectmg within an information stream received by the 
information receiver crvptographic information for defirung the aJgonthm used for 
encrypting information segments m accordance with said conditional access 
process, and 

means for downloading the detected cr\ptographjc inibrmaiion from said 
information stream. 



11 An access control processor for a conditional access system in which an 
encrvpted information segment provided by an information service provider is encr>pted 
for transmission in accordance with a given conditional access process, the processor 
comprising 

a decryptor in an information receiver for decrypting encrypted information 
segments received by the information receiver; and 

a conditional access controller in the information receiver for enabling the 
decryptor to decrypt received information segments encrypted in accordance with the 
given conditional access process, 

wherein the conditional access controller includes 

means for requesting transmission to the information receiver of 
cryptographic information for enabling the conditional access controller to enable 
the decryptor to decrypt a selected information segment; and 

means for downloading cryptographic information trananitted to the 
receiver in response to said request. 
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12 A processor according to Claim II, wherein the transmitted cryptographic 
2 intbrmaiion includes crvptographic data tor defining an algonthm used by the decr\ptor 

for decr>pting inlbrmaiion segments encrypted in accordance with the given conditional 
4 access process. 

13 A processor according to Claim 12, wherein the downloading means includes 
2 means for detecting the transmuted cryptographic data for defining the algorithm within an 

inlbrmation stream received by the information receiver and means for downloading the 
4 delected crvptographic information from said information stream. 

i 

14 A processor according to Claim 11, wherein the requested crvptographic 
2 information includes data for use in generating a session key for use by the decrvptor for 

decrypting information segments encrypted in accordance with the given conditional 
4 access process; and 

the conditional access controller includes means for processing the downloaded 
6 session key generation data to generate said session key 

15 A processor according to Claim 14, wherein the downloading means includes 
2 means for detectmg the iransmined session key generation data withm an information 

stream received by the information receiver and means for downloading the detected 
4 session key generation data from said information stream. 

16. A processor according to Claim 1 1, wherein the conditional access controller 
2 includes 

means for processing an authorization signal related to the selected infonmation 
4 segment to determine whether or not the decryptor is enabled to decrypt the selected 
information segment and to determine which of a plurality of different possible 
6 authorization statuses is applicable to the selected information segment. 
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means for retnevmg from a pluralit\ of different possible authorization status 
messages within an information stream received by the infonnaiion receiver a message 
applicable to the status determined by said processing; and 

means for providing the reineved message for display 



17. An access control processor for providing for display of a message related to 
an authorization status of an information receiver in a conditional access" system for 
receiving an information segment, the processor comprising 

means for processing an authorization signal related to the information segment to 
determine which of a plurality of different possible authorization statuses is applicable to 
the information segment. 

means for reinevmg from a plurality of different possible authorization status 
messages withm an information stream received by the mJbrmation receiver a message 
applicable to the status determined by said processing; and 

means for providing the retrieved message for display 



18. A processor according to Claim 17. wherein the information segment is 
provided separately by each of a plurality of different service providers; 

wherein the processing means include 

means for processing a plurality of authorization signals respectively 
related to the information segment provided separately by the pluraUty of different 
service providers; 

means determining which of a plurality of different possible authorizaiion 
statuses is applicable for the received inforroaiion segment for each of the 
respective authorization signals related to the different service providers; and 
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*o means for selecting one of the determined statuses in accordance wnh a 

predetermined priority, and 

i2 wherein the retrieving means includes means for retrieving the message applicable 

to the status selected by the selecting means 

19 An access control processor for providing for displa\ of a message related to 
2 an authonzation status of an information receiver in a conditional access s>stem ror 
receiving an information segment when the information segment is provided separately by 
4 each of a plurality of different service providers, the processor comprising 

means for processing a plurality of authorization signals respectively related to the 
6 information segment provided separately by the plurality of different service providers. 

means determining which of a pluralitv* of different possible authonzation statuses 
8 is applicable for the received information segment for each of the respective authorization 
signals related to the different service providers; 

means for selecting one of the detemlined statuses in accordance with a 
predetermined priority; 

^2 means for selecting from a plurality of different possible authonzation status 

messages the message applicable to the status determined in accordance with said priontv; 
14 and 

means for providing the selected message for display 

20. An access conuol processor for selecting an applicable authorization status of 
2 an infonnation receiver for receiving an information segment when the informatioo 
segment is provided separately by each of a plurality of different service providers in a 
4 conditionaj access system^ the processor comprising 

means for processing a plurality of authorization signals respectively related to the 
6 imbrmation segment provided separately by the plurality of different service providers. 
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means for determining which of a plurahty of different passible authorization 
statuses is applicable for the received information segment for each of the respective 
authorization signals related to the different service providers, and 

means for selecting one of the determined statuses m accordance with a 
predetermined priority 

21. A conditional access system in which encrvpted information is provided by a 
plurality of information service providers in accordance wuh different conditional access 
processes respectively utilizing different algorithms for encr\pimg the information, 
comprising 

encryption means for encrypting information segments for transmission m 
accordance with different conditional access processes respectively utilizing different 
algorithms for encr>'pting the information segments; 

a decryptor in an information receiver for decrypting encrypted inibrmation 
segments received by the information receiver by processing the received encrypted 
information segments with a session key used for encrypting the information segments in 
accordance with an algorithm utilized in one of said conditional access processes: and 

a conditional access controller in the information receiver for selectively enabling 
the decryptor to decrypt received information segments encrypted in accordance with any 
of said different conditional access processes by providing to the decryptor cryptographic 
information for defining the algorithm utilized in said one of said different conditional 
access processes for use by the decryptor to decrypt the received information segment 
encrypted in accordance with said algorithm. 

22. A system according to Claim 21, further comprising 

means for requesting transmission to the information receiver of cryptographic 
information for defining the algorithm utilized in said one of said different conditional 
access processes; 
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means tor responding lo said request by transniiiiing ihe requested cr> ptographic 
6 information; and 

means in the information receiver for doutiloading the transmitted cr>ptographic 
8 information 



23 A system according to Claim 22. wherein the conditional access controller 
includes the means for downloading the transmitted cr>ptographic inlormaiion, to wit 
means for detecting the transmitted cr>ptographic information within an information 
stream received by the information receiver and means for dowTiloading the detected 
crjptographic information from said information stream. 



24. A system according to Claim 21. further compnsing 

2 means for requesting transmission to the information receiver of other 

cr>ptographic information used by the conditional access controller for enabling the 

4 decryptor to decrypt the information encrypted in accordance with one of said different 
conditional access processes; 

6 means for responding to said request by transmitting the requested other 

cryptographic information, and 

8 means in the information receiver for downloading the transmitted other 

cryptographic information. 



25. A system according to Claim 24, wherein the conditional access controller 
includes the means for downloading the transmined other cryptographic information, to 
wit: means for deteaing the transmitted other cryptographic infoimation within an 
information stream received by the information receiver and means for downloading the 
detected other cryptographic information from said information stream 
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26 A system accordinu to Claim 24. uherem the other crvptographjc information 
mcludes data for use m generaimu a session key for use by the decr>ptor for decr>piinu 
irUbrmation segments encr>pied m accordance with the algorithm utilized in said one of 
said ditTereni conditional access processes, and 

the conditional access controller includes means for processing the downloaded 
session key generation data to generate said session key. 

27 A conditional access system in which encry pted information is provided by a 
an information service provider in accordance with a given conditional access process, 
comprising 

encryption means for encrypting an information segment for transmission in 
accordance with a given conditional access process. 

a decr>pior in an infonmaiion receiver for decrypting encr>pted information 
segments received by the information receiver: 

a conditional access controller in the information receiver for enabling the 
decryptor to decrypt received information segments encrypted in accordance with the 
given conditional access process, wherein the conditional access controller includes 

means for requesting transmission to the information receiver of 
cryptographic information for enabling the conditional access controller to enable 
the decryptor to decrypt a seleaed information segment; and 

means for dowiiloading cryptographic information transmined to the 
receiver in response to said request; and 

the system further comprising 

means for responding to said request by providhig the requested cryptographic 
information for transmission to the information receiver. 
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28. A system according to Claim 27. wherein the requested crvptographic 
2 information includes cryptographic data tor defining an algonthm used by the decrypior 
for decrypting information segments encrypted m accordance with the given conditional 
4 access process. 

29 A system according to Claim 28. wherem the downloadmg means mcludes 
2 means tor detecting the transmitted cr\piographic data for defining the algonthm vvithin an 

information stream received b> the information receiver and means for downloading the 
4 detected cryptographic data from said information stream 

30 A system according to Claim 27. wherem the requested cr>ptographic 
2 information includes data for use m generating a session key for use by the decrypior for 

decrypting information segments encrvpted in accordance uith the given conditional 
4 access process, and 

the conditional access controller includes means for processing the downloaded 
6 session key generation data to generate said session key. 

31. A system according to Claim 30, wherem the dov^iiloading means includes 
2 means for detecting the transmined session key generation data within an informauon 

stream received by the information receiver and meam for downloading the deteaed 
4 session key generation data from said information stream. 

32. A system according to Claim 27, wherein the conditional access controller 
2 includes 

means for processing ao authorization signal related to the selected information 
4 segment to determine whether or not the decryptor is enabled to decrypt the selected 
information segment and to determine which of a plurality of different possible 
6 authorization statuses is applicable to the selected information segment; 
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means for retrieving from a plurality of difTereni possible auihonzauon status 
messages within an information stream received by the information receiver a message 
applicable to the status determined by said processing; and 

means for pro\iding the retrieved message for display 

33 A computer readable storage medium for use in an access control processor 
included in an inlbrmauon receiver of a conditional access system m which encr>pied 
information segments provided by a plurality of information service providers are 
encr>pted for transmission in accordance with diiFereni conditional access processes 
respeaively utilizing different algorithms for encrypting the information segments, and 
including a decrvptor for decrypting encrypted information segments received by the 
information receiver by processmg the received encrypted information segments with a 
session key used for encry pting the inlbrmation segments m accordance with an algonihm 
utilized in one of said conditional access processes, and a conditional access controller. 

wherein the storage medium is configured so as the cause the conditional access 
controller to selectively enable the decrvptor to decrypt received intbrmation segments 
encrypted in accordance with any of said different conditional access processes, by 
providing lo the decrypior cryptographic information for defining the algorithm utilized in 
said one of said different conditional access processes for use by the decryptor to decrypt 
the received information segment encrvpted in accordance with said algorithm. 

34. A storage medium according to Claim 33, further configured so as to cause 
the conditional access controller to detect within an information stream received by the 
information receiver cryptographic information for defining the algorithm used for 
encrypting information segments in accordance with said one of said different conditional 
access processes and to download the detected cryptographic information fi-om said 
information stream. 

35 A computer readable storage medium for use in an access control processor 
included in an information receiver of a conditional access system in which encrypted 
information segments provided by an information service provider are encrypted for 
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4 transmission in accordance with a conditionar access process utilizing an algonthm for 
encr\'pting the inibrmation segments, and including a decrvptor for decr>piing encrvpted 

6 inibrmation segments received by the inibrmation receiver by processing the received 
encrypted information segments with a session key used for encrypting the information 

8 segments in accordance with the algonthm utilized in said conditional access process: and 
a conditional access controller. 

10 wherein the storage medium is configured so as the cause the conditional access 

controller to enable the decryptor to decrypt received inibrmation segments encrypted in 
12 accordance with said conditional access process by providing to the decryptor 

cryptographic inibrmation for defining the algonthm utilized in said conditional access 
14 process for use by the decryptor to decrypt the received information segment encrypted in 

accordance with said algorithm, by causing the conditional access controller to detect 
16 within an information stream received by the information receiver cryptographic 

information for defining the algonthm used for encrypting inibrmation segments in 
18 accordance with said conditional access process and to download the detected 

cryptographic information from said information stream. 

36 A computer readable storage medium for use in an access control processor 
2 included in an informauon receiv er of a conditional access system in which an encrypted 

information segment provided by an information service provider is encrypted for 
4 transmission in accordance with a given conditional access process, and including a 

decryptor and a conditional access controller, 

6 wherein the storage medium is configured so as to cause the conditional access 

controller to enable the decryptor to decrypt received information segments encrypted in 

8 accordance with the given conditional access process, by requesting transmission to the 
information receiver of cryptographic information for enabling the conditional access 

10 controller to enable the decryptor to decrypt the selected information segment and by 
downloading cryptographic informatioa transmitted to the receiver in response to said 

12 request. 

37. A computer readable storage medium configured so as to cause an access 
2 control processor to select an applicable authorization status of an information receiver for 
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receiving an intbrmation seumem when the infonnation segment is provided separateh b\ 
each of a plurality of different service providers in a conditional access system, by 
processing a plurality of authorization signals respectiveK related to the information 
segment provided separately by the plurality of different service providers, deiermining 
which of a plurality of different possible authorization statuses is applicable for the 
received information segment for each of the respective authorization signals related to the 
different service providers, and selecting one of the determined statuses m accordance 
wiih a predetermined pnoriiv 

38. A computer readable storage medium configured so as to cause an access 
control processor to provide for display of a message related to an authorization status of 
an information receiver in a conditional access system for receiving an information 
segment, by processing an authonzation signal related to the information segment lo 
determine which of a plurality of different possible authonzation statuses is applicable to 
the inlbrmation segment, retrieving from a plurality of different possible authorization 
status messages withm an information stream received b> the inlbrmation receiver a 
message applicable to the status determined by said processing, and providing the 
retneved message for display 

39 A conditional access method in which encrypted information is provided by a 
plurality of infonmation service providers in accordance with different conditional access 
processes respectively utilizing different algorithms for encrypting the information, 
comprising the steps of 

(a) encrypting information segments for transmission in accordance with different 
conditional access processes respectively utilizing different algorithms for encrypting the 
infonnation segments; 

(b) usmg a decrypior in an information receiver to decrypt encrypted infonnation 
segments received by the informatioD receiver by processing the received encrypted 
information segments with a session key used for encrypting the infonnation segments in 
accordance with an algonthm utilized in one of said conditional access processes: and 
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12 (c) in the inlbrmation receiver. selecuveK enabiin« the decrypt or lo decr\pi 

received informaiion segments encrypted in accordance v\uh an> of said different 

14 conditional access processes by pro\idmg to the decrv-pior cryptographic information for 
detining the algonthm utilized in said one of said different conditional access processes for 

16 use by the decr\ptor to decr>pt the received information segment encrvpted in accordance 
uiih said algorithm. 



40 A method according to Claim 39, wherem step (c) comprises the steps of 

2 (d) detecting within an infonnation stream received by the information receiver 

cr>ptographic information for defining the algorithm used for encrypting information 
4 segments in accordance with said one of said different conditional access processes, and 

(e) dowTiloading the detected cryptographic infomiaiion from said information 

6 stream. 

41. A method according to Claim 39, wherem step (c) comprises the step of 

2 (d) providing the cryptographic information for defining the algonthm m 

accordance with a signal identifying said one conditional access process as the conditional 
4 access process used for encrypting the received information segments 



42. A method according to Claim 39, wherein step ic) comprises the step of 

2 (d) providing the cryptographic information from a memory in the infonnation 

receiver storing cryptogr^hic information for defining said different algorithms 
4 respectively utilized in said different conditional access processes. 



43. A method according to Claim 39, further compristng the steps of: 

(d) processing an authorization signal related to a selected information segment 
provided by each of a plurality of said service providers to determme which of a plurality 
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of ditferent possible authonzation statuses is applicable to the selected mtomiaiion 
sek:nient provided b> each of the serv ice providers, and 

(e) selectinij for decrvption m accordance with a predetermined pnority based 
upon said status detemrunations the encrvpied information segment provided by one of 
said service providers 



44 A method according to Clajm 4 J. wherein step (c) composes the step of 

(0 providing the cryptographic information for defining the algonihm to the 
decrypior in accordance with said selection of the encrypted intbrmation segment 
provided by said one service provider 



45 A method according to Claim 39, ftirxher composing the steps of 

(d) requesting transmission to the information receiver of cryptographic 
infonnation for defining the algorithm utilized in said one of said different conditional 
access processes, 

(e> responding to said request by transmitting the requested cryptographic 
intbrmation; and 

(0 in the information receiver, downloading the transmitted cryptographic 
information. 



46. A method according to Claim 45, wherein step (0 includes the steps of 

(g> detecting the transmitted cryptographic infonnation within an infonnation 
stream received by the infonnation receiven ud 

(h) downloading the detected cryptographic information from said information 

stream. 
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47 A method according lo Claim 39, tiinher comprising the steps of 

2 (d) requesting transmission to the ihlbrmation receiver of cryptographic 

inlbrmation used for enabhng decr\ption of the information encr>*pted in one of said 
4 ditrerem conditional access processes. 

(e) responding to said request by iransmiiiing ihe requested crv ptographic 
6 inlormation: and 

(0 in the information receiver, downloading the transmitted cryptographic 
8 infonnation 

48 A method according to Claim 47, wherein step (f) includes the steps of. 

2 (g) detecting the transmitted cryptographic information withm an inlormation 

stream received by the information receiver; and 

4 (h) dowTiIoading the detected cr>ptographic information from said information 

stream. 

49. A method according to Claim 47, wherein the cryptographic information 
2 includes data for use in generating a session key for use by the decryptor for decrypting 

information segments encrypted in accordance with said one conditional access process. 

50. A conditional access method in which encrypted information is provided by an 
2 tnfomiation service provider in accordance with a conditional access processes utilizing an 

algorithm for encrypting the information, comprising the steps of: 

4 (a) using a decryptor in an information receiver to decrypt encrypted infonnation 

segments received by the information receiver by processing the received encrypted 

6 tnljrmation segments with a session key used for encrypting the information segments in 
accordance with the algorithm utilized in said conditional access process, and 

35 



BNSDOCtD: <WO 9608912A2J_> 



wo 96/08912 



PCT/US95A057I 



(b) in the inlbrmation receiver, enabling the decr>*ptor lo decr\'pi recened 
inlbrmaiion segments encrypted in accordance with said conditional access process by 
providing to the decryptor ciyptographic information for defining the algonthm uiilued in 
said conditional access process for use by the decryptor to decrvpi the received 
inlbrmation segment encrypted in accordance vvith said algonthm. wherein step ib) 
compnses the steps of 

(c) detecting within an information stream received by the inlbrmauon 
receiver cryptographic information for defining the algonthm used for encrsptmg 
information segments in accordance with said conditional access process, and 

(d) downloading the detected cryptographic inlbrmation from said 
information stream. 

SI A conditional access method in which encrypted information is provided b> a 
an information service provider in accordance with a given conditional access process, 
comprising the steps of 

(a) encrypting an information segment for transmission in accordance with a given 
conditional access process; 

(b) using a decryptor in an information receiver to decrypt encrypted information 
segments received by the information receiver; 

(c) in the information receiver, enabling the decryptor to decrypt the received 
information segments encrypted in accordance with the given conditional access process. 

wherein step (c) includes the steps of: 

(d) requesting transmission to the information receiver of cryptographic 
information for enabling decryption of a selected information segment; and 

(e) in the inlbrmation receiver, downloading cryptographic information 
transmitted to the receiver in response to said request; and 



36 



wo M/08912 



PCT/US95/10571 



the method tlinher comprising the step of 

16 (0 responding to said request by providing the requested crvptographic 

information for transmission to the information receiver 

52. A method accordmg to Claim 51. v^herem the requested cryptographic 
2 mtormaiion includes cryptographic data for definmg an aJgomhm used by the decrvptor 
for decrypting information segments encrypted in accordance with the given conditional 
4 access process. 



53 A method according to Claim 52. wherein step (e) includes the steps of 

2 (g) detecting the transmitted cryptographic data within an information stream 

received by the information receiver: and 

4 (h) downloading the detected cryptographic data from said information stream. 

54, A method according to Claim 51, wherein the requested cryptographic 
2 information includes data for use in generating a session key for use by the decrvptor for 
decrvpting information segments encrypted in accordance with the given conditional 
4 access process. 

55 A method according to Claim 54, wherein step (e) includes the steps of 

2 (g) detecting the transmitted session key generation dau within an informatiob 

stream received by the information receiver, and 

4 (h) downloading the detected session key generation data from said informatioo 

stream. 
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56. A method according lo Claim 5 1 . flinher compnsinji the steps of. 

2 (g) processing an authorization signal related to the selected information segment 

to determine whether or not decryption of the selected information segment is enabled and 

4 to determine which of a plurality of different possible authorization statuses is applicable 
to the selected information segment: 

6 (h) reineving from a plurality of different possible auihonzation status messages 

wiihin an information stream received by the information receiver a message applicable to 
8 the status determined by said processing, and 

(i) providing the retrieved message for display 



57 A method of providing for display of a message related to an authonzation 
2 status of an information receiver in a conditional access system for receiving an 
information segment, comprising the steps of 

4 (a) processing an authonzation signal related to the information segment to 

determine which of a plurality of different possible authonzation statuses is applicable to 
6 the information segment; 

(b) retneving from a plurality of different possible authonzation status messages 
8 within an information stream received by the information receiver a message applicable to 
the status determined by said processing; and 

10 (c) providing the retrieved message for display. 
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58 A method according to Claim 57. wherein the infonmanon segment is provided 
2 separately by each of a plurahiy of different serv ice providers. 

wherein step (a) compnses the steps of: 

4 (d) processing a plurahty of authonzaiion signals respeciivelv related to the 

inlormation segment provided separately by the plurality of different service providers. 

6 (e) for each of the respective authorization signals related to the different service 

providers determining which of the: plurality of different possible authonzation statuses is 
8 applicable for the received information segment: and 

(0 selecting in accordance with a predetermined prionty one of the statuses 
10 determined by step (e), and 

wherein step (b) compnses retneving the message applicable to the status selected 
12 by step (f) 

59 A method of providing for display of a message related to an authonzaiion 
2 " status of an information receiver in a conditional access system for receiving an 

inlormation segment when the information se^ent is provided separately by each of a 
4 plurality of different service providers, compnsing the steps of 

(a) processing a plurality of authorization signals respectively related to the 
6 information segment provided separately by the plurality of different service providers, 

(b) for each of the respective authorization signals related to the different service 
6 providers determining which of a plurality of different possible authorization statuses is 

applicable for the received information segment; and 

^0 (c) selecting in accordance with a predetermined priority one of the statuses 

determined by step (b). 

12 (d) selecting trom a plurality of different possible authorization status messages 

the message applicable to the status determined by step (c); and 
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14 (e) pros iding the selected message tor display 



60. A method of selecting an applicable authorization status of an information 
2 receiver for receiving an information segment when the mlbrmation segment is provided 
separately by each of a plurality of different serMcc prov iders in a conditional access 
4 system, comprising the Steps of 

(a) processing a plurality of authorization signals respectively related to the 
6 information segment provided separately by the plurality of different serv ice providers. 

(b) for each of the respective authorization signals related to the different service 
8 providers determinjng which of a plurality of different possible auihonzation statuses is 

- applicable for the received information segment, and 

1° selecting in accordance with a predetemiined prioniy one of the statuses 

determined by step (b) 
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